Hot!Captive portal and certificates

Author
Storyteller
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/11/24 05:15:42
  • Status: offline
2018/02/08 06:00:20 (permalink)
0

Captive portal and certificates

Today, without doing anything my captive portals does not work anymore.
Both IE and Chrome give me a message about wrong certificate but after I force a reconnect I cannot access to login page. 
The page seems expired (I think it is really expired because of IE and Chrome reconnection).
With Firefox I can add the exception and after that it works.
 
I suppose that IE and Chrome stops the session thinking about a Man in the Middle attack and ask me for a confirm. When I confirm they reload the page but the Captive portal session is meantime expired and the page is not reachable.
With Chrome if I try to open a HTTP site without HSTS it works (no man in the middle detection).
 
My two captive portals work on two private network 10.40.... and 10. 41.... and the portal is in these LAN. How can I solve my problem? I assume the computers connected being guest computer without chance to install some certificate or private CA auth. 
 
Graziano.
post edited by Storyteller - 2018/02/08 06:01:53
#1

11 Replies Related Threads

    leif_erikson
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/04/01 00:55:19
    • Status: offline
    Re: Captive portal and certificates 2018/05/16 22:13:49 (permalink)
    0
    We also have the same problem, so many users are complaining.

    Does anyone have a solution to this?
     
    FG-500D v5.2.3,build670 (GA)
    #2
    Storyteller
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/11/24 05:15:42
    • Status: offline
    Re: Captive portal and certificates 2018/05/16 23:21:57 (permalink)
    0
    In IE I must insert the site in trusted site and after several attempts (restarting IE) it shows me login page. Then I can login.
     
    But this is a workaround...
     
    Regards,
    Graziano.
    #3
    Fishbone_FTNT
    Gold Member
    • Total Posts : 56
    • Scores: 27
    • Reward points: 0
    • Joined: 2015/02/02 02:13:08
    • Status: offline
    Re: Captive portal and certificates 2018/05/23 00:19:30 (permalink)
    0
    Hi all,
    somehow I missed this thread. Chrome (and I suppose also others will be following) started to require SAN DNS in certificate for hostname check.
    In older releases, you can add your own certificate in auth portal (with correct FQDN in cert DNS SAN), or you can use 5.6.x, which will generate auth portal certificate on its own.
     
    Do a simple check: see details of untrusted certificate. If it's missing Subject Alternative Name DNS which matches your auth portal FQDN, then it's this what I am talking about.
     
    Regards,
     Fishbone)(
    #4
    Storyteller
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/11/24 05:15:42
    • Status: offline
    Re: Captive portal and certificates 2018/05/23 01:23:16 (permalink)
    0
    Hi Fishbone,
    I don't have any FQDN for guest LAN because I cannot access any internal DNS to resolve it. I have setted up two LAN 10.40.X.X and 10.41.0.0 and the client try to connect to 10.40/1.0.1:1003 to authenticate. 
     
    The certificates with problems seems to be CA CN=support. The message of Chrome is:
    "This CA Root certificates is not trusted because it is not in the trusted root certification Auth store."
    After I add it in the Trusted store the browsers tells me the certificates has problem because the hostname differs from website.
     
    But I need this Wifi for Guest. I cannot ask to him to install CA certificate before to connect. I cannot make guest client to connect to my LAN in order to verify the CA. 
     
    Do I have to install a real certificates with host-name as the ip?
    And can I link to different captive portals in different LAN?
     
    Regards,
    Graziano.
    #5
    Fishbone_FTNT
    Gold Member
    • Total Posts : 56
    • Scores: 27
    • Reward points: 0
    • Joined: 2015/02/02 02:13:08
    • Status: offline
    Re: Captive portal and certificates 2018/05/23 03:45:45 (permalink)
    4 (1)
    Hi Graziano,
    guest access... you can't ask folks to install your CA as trusted CA, that's clear.

    In that case you can't redirect HTTPS internet connection attempts to portal without certificate warning, because the redirection must be inspected, and replaced with redirection to your portal.
    I am afraid there is no perfect solution to this.
     
    What you can do is to prevent Fortigate to touch HTTPS at all. You can remove https from:
    config user setting
        set auth-type http https ftp telnet
    end
    ... but this will affect whole VDOM.
     
    Alternatively, you can create a new VDOM for guests, and make this change there.
    Result will be guest timeouts on attempts to access https internet, but it will redirect to portal plain unencrypted http. Not nice, but alternative approach without cert warnings.
     
    Once redirected to portal, you need to trust the HTTPS site (you can use plaintext logon portal, but I guess you don't want it). Because the redirection to IP address would require IP address in certificate and no commercial CA would issue certificate with private IP in SAN, I suggest to:
    - allow DNS for guests (you can have DNS server on Fortigate, too)
    - register some DNS domain with suitable name
    - create some A record with suitable name pointing to your private IP address to portal
    - buy certificate for that A record FQDN
    - install this certificate into Fortigate and use it for portal
     
    =>
    Guest access:
    1/ https is silent for unauth guests
    2/ http access will be redirected to https portal, without cert warnings
    3/ guest authenticates
    4/ https (and overall internet access) will start to work according to your policies
     
    As I said, not perfect, but for someone better than to see cert warnings. Matter of taste and preference...
     
    hth,
     Fishbone)(
    #6
    Storyteller
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/11/24 05:15:42
    • Status: offline
    Re: Captive portal and certificates 2018/05/23 03:59:16 (permalink)
    0
    What you can do is to prevent Fortigate to touch HTTPS at all. You can remove https from:
    config user setting
        set auth-type http https ftp telnet
    end
    ... but this will affect whole VDOM.
    This solution satisfies me because I have no other user auth in my LAN. Only this for Guest Wifi LANs.
     
    Thanks.
    Regards,
    Graziano.
    #7
    emnoc
    Expert Member
    • Total Posts : 5115
    • Scores: 320
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Captive portal and certificates 2018/05/23 06:46:04 (permalink)
    0
    Purchase a trusted certificate or build a Enterprise level  PKI on the CN and ALtName  most if not every browser is NOT looking at the CN if the AltName is present as said earlier you need to be aware  of this.
     
    http://socpuppet.blogspot.com/2017/11/cn-and-subject-alternative-names-in.html
     
    The problem in the op  is really at the web-browser and security level. Deploying a proper certificate that's trusted will fix your issues and ensure it's in your trusted store.
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #8
    boneyard
    Silver Member
    • Total Posts : 104
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: Captive portal and certificates 2018/10/20 08:32:25 (permalink)
    0
    i don't fully agree. yes for the eventual page a good certificate helps solving that message.
     
    but for the initial redirect on HTTPS requests there is no solution. you can't provide the correct certificate for the https://www.google.com request which get then redirected to the captive portal page.
     
    you agree emnoc?
     
    it would help if FortiGate would document this well. it isn't there fault or issue, this is just how SSL is supposed to work.
    #9
    sbuerger
    New Member
    • Total Posts : 15
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/01/08 05:45:56
    • Status: offline
    Re: Captive portal and certificates 2019/03/12 05:18:26 (permalink)
    0
    boneyard
    but for the initial redirect on HTTPS requests there is no solution. you can't provide the correct certificate for the https://www.google.com request which get then redirected to the captive portal page.

     
    Is there a way to simply disable the https -> https redirect?
    So we get a http://www.google.de -> https://captiveportalloginpage without warnings and for https://www.google.de it just does not connect until the user ist authenticated?
    #10
    Baptiste
    Gold Member
    • Total Posts : 151
    • Scores: 13
    • Reward points: 0
    • Status: offline
    Re: Captive portal and certificates 2019/03/13 23:43:30 (permalink)
    0
    Hi,
    In my case, with wired or wireless captive portal, the computer/smarpthone detect the captive portal and open a new tab in order to login. 
    If it's detect by web browser, there's a top banner that indicate I need to login.

    FGT 100D 5.6.7 + FTK200
    FGT 60E 5.6.7 & 6.0.4
    FGT 40C 5.0.13
    FAZ VM 6.0.4
    FAP 210B/221C/223C/321C/421E
    #11
    boneyard
    Silver Member
    • Total Posts : 104
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: Captive portal and certificates 2019/03/16 11:20:31 (permalink)
    0
    that would be a feature request for Fortinet sbuerger. im sure it is possible, downside is that people might keep trying a https:// website and nothing happens, that isn't very user friendly either.
     
    the captive portal check with smartphones and windows 10 solves a lot of this indeed.
    #12
    Jump to:
    © 2019 APG vNext Commercial Version 5.5